[Date Prev][Date Next]
Re: Design question
On 07/22/10 12:49 AM, Isaac Hailperin wrote:
I work with an organisation of similar size and we delete leavers form
the LDAP server and just archive their home directories.
currently I am redesigning the ldap server for a site which has about
700 users, with approximatly 200 new user per year, and maybe a little
less dropping out every year.
The information about the lifetime of an account is kept in a
different database(mysql). Thus, in order to check if an account is
expired, I need to check with that database. While this might not be
the happiest situation, it is partly due to historical rereasons,
partly due to other restrictions beyond my reach. In any case, there
is nothing I can do about it.
Now I would like to have a way to make shure that usernames and
numerical uids will never get reused. Also, I would like to keep trac
of who had an account, sort of a history.
Two ideas came to my mind:
1. Have an "expired" flag in the schema. Records with the expired flag
would be blocked from login with an appropriate acl.
2. Have an archive subtree, where expired records get moved to.
The beauty of the first idea seems to me that it is very simple. The
downside is that there would be two places where the expired flag
would live, the ldap server and the other database (see above). Also,
over the years, the number of records in the people subtree would grow
and grow (not shure if this is an disadvantage though).
The beauty of the second idea is that the people subtree would be
"clean", containing only active accounts. The downside seems to me
that it looks a bit more involved.
Now I was wondering how other people have solved this, or if anyone
would favor on of the solution.
One disadvantage of 1 is your database will grow and your searches will
LDAP isn't really the place for archival data, if you want to preserve
it export the LDIF for the user and archive that.